fix(ci): preserve mixed macOS CodeQL SARIF findings

Conservatively filter macOS CodeQL SARIF by dropping only findings where every location is SwiftPM build output. Verified with workflow sanity, local jq filtering, PR CI, and a failed-job rerun for an unrelated stalled Vitest shard.

.github/workflows/codeql.yml

@@ -177,7 +177,8 @@ jobs:
           for file in "${files[@]}"; do
             jq '
               def in_dependency_build:
-                ((.locations[0].physicalLocation.artifactLocation.uri? // "") | test("^apps/macos/\\.build/"));
+                ((.locations // []) | length > 0)
+                and all(.locations[]; (.physicalLocation.artifactLocation.uri? // "") | test("^apps/macos/\\.build/"));
 
               .runs |= map(.results = ((.results // []) | map(select(in_dependency_build | not))))
             ' "$file" > "sarif-results-filtered/$(basename "$file")"